We founded Arnica in 2021 with the vision of a world in which software development is unimpeded by risk. Today, we launch the Arnica product as our first major step toward that goal! Check out our story below...
Back in 2020, when I worked at Finastra as the VP of Security, our CEO heard about the software supply chain attack against SolarWinds. He knew that our application security program was mature, and as expected, asked me what we were doing to avoid being in the same situation, especially given the sensitivity of Finastra’s FinTech software.
The concept of the software supply chain was emerging and so I did not have an immediate answer. I set out to find the solution, but I did not expect it to be so challenging.
My teams and I met with dozens of security companies and ran a handful of POCs. Most of the solutions were too narrow (e.g., signing components, checking misconfigurations) or ended up increasing our operational cost significantly (e.g., automating threat modeling after the code is implemented, instead of during design).
None of the vendors solved the root causes to software supply chain attacks holistically, so I approached a roadblock. And thus, the idea for Arnica was planted!
I joined forces with my co-founders, Moshe (Diko) Dahan, and Eran Medan. The three of us saw the same challenges from different angles – each with our different backgrounds in security, operations, and engineering, respectively. We had dozens of conversations with CISOs, DevOps, and engineering leaders to better understand their challenges and how to solve the software supply chain security problem.
We learned that providing visibility to risks is important, but that this is only a sliver of the challenge. More importantly, we realized how crucial it is to make it easy to actually fix the risks. And on top of that, the mitigation for each risk must be presented and executed in a way that doesn’t hinder development velocity – or better yet, accelerate it.
It was then that we decided to leave our comfortable jobs and pursue the vision of a world in which software development is unimpeded by risk.
Software supply chain attacks surprise everyone. Based on our research, the root causes of all attacks since 2018 can be bucketed into (1) improper access management to the development ecosystem, or (2) an inability to identify anomalous identity (users and automation accounts) or risky code behavior.
Arnica takes a behavior-based approach to software supply chain security risk mitigation.
Starting with the challenge of improper access management, Arnica identifies excessive permissions to your source code and mitigates them in a single click. We do this while providing self-service access capabilities to developers via Slack so that requesting or regaining permissions is easy.
For example, a company can decide (based on policy) to automatically re-grant any permission that was revoked in the last 90 days; but, when a new developer requests permission to a sensitive code repository or branch, the request will route (based on policy) to a specific Slack channel for approval. Then permissions are provisioned automatically when the request is approved.
Here is an example of the developer’s experience using Arnica’s Slack bot.
One of the exciting things about Arnica’s patent-pending excessive permission mitigation approach is that it tells you which permissions will be effective after the change. For example, when Admin permission is reduced Arnica will grant the minimum permission needed by the user based on their specific historical behavior.
Code risk is one of the big domains we decided to tackle incrementally, and we started with mitigating secrets in code. Yes, you read it correctly – Arnica’s patent-pending solution doesn’t only identify hardcoded secrets, but it also fixes them!
Mitigating hardcoded secrets is hard. It requires the developers to rotate the secrets as they are always kept in the git history. The best solution I have seen to prevent developers from pushing secrets thus far is with GitHub Advanced Security, and I warmly recommend using it if it is an affordable option for your company and acceptable by the developers. However, not all secrets are equal and not all developers know how to rewrite the git history to remove the newly checked in secrets from their code. Therefore, we decided to let the developers choose the easiest way to mitigate secrets by them immediately after the code is pushed to the source code repository.
How would you know what the developers did and what is the status of every action? Here is an example:
The developer is becoming an increasing target for attackers, as such account takeover can cause an injection of malicious code or source code exfiltration. Additionally, while we assume that most developers have good intentions, the concern around insider threats spiked, especially since the tension between Russia and Ukraine started.
Arnica runs machine learning to profile each developer’s behavior and then inspects every new code push against more than 3000 characteristics. When abnormal behavior is detected, an automated workflow can be kicked off to immediately mitigate the risk. For example, Arnica can send a direct out-of-band message to the developer and ask if the code was pushed as expected and add a comment on the Pull Request to require another set of eyes on the anomalous code change before the code is merged into your production code.
Below is an example of a message that a developer gets on Slack:
In case you are curious about false positives, I can assure you that false positives do exist with every machine learning algorithm. Arnica enables you to set the custom threshold that fits best to your risk appetite.
At Arnica we believe that visibility across your environment should be free. It is yours, after all.
Look at the software supply chain security market, today. How many expensive “single panes of glass” do you see? As a security practitioner, I have personally evaluated too many security tools that focus on visibility but give users little security value leading to a stack of expensive dashboards!
A couple of examples of such features:
ALL of the above is FREE FOR EVERYONE FOREVER (and so is SSO)! At the end of the day, we believe that we have a responsibility to help everyone gain visibility to potential risks in their environment without a paywall. We believe it is more important (and valuable) to fix those risks!
The entire Arnica team believes that we can build a world where software development is unimpeded by risk.
Everything we do is driven by our belief that we will get there. Thus, we are building more visibility and mitigation capabilities across more of the development ecosystem that will make your developers and code less vulnerable. We will empower developers to own security with a single-click.
Enterprises today are faced with the need to harden their DevOps ecosystem to combat the proliferation of Software Supply Chain Attacks. These organizations are faced with the growing challenge of balancing development velocity, cost efficiency, and security.
Managing excessive developer permissions and identifying corresponding anomalous behavior are two obstacles in the way of establishing this equilibrium. Arnica was established to solve these obstacles by providing a seamless and frictionless active mitigation platform for exactly these issues and more. Arnica is the easy button for DevOps security.
Arnica analyzes excessive permissions, code risks and misconfigurations across the developer toolset and mitigates them.
press@arnica.io